It has been reported that four out of five (80%) organisations have been notified of a vulnerability or attack in their supply chain of software in the past 12 months, according to new research.
The survey of 1500 IT decision makers and cybersecurity leaders across the UK, North America, and Australia demonstrated the significant impact of supply chain attacks on businesses. Of those that had been notified of such an attack, over half experienced operational disruption (58%), data loss (58%), intellectual property loss (55%) and reputational loss (52%). Almost half (49%) suffered financial loss. Additionally, over a third (37%) took up to a month to recover from an exploited vulnerability in their software supply chain, with 53% recovering within a week. One in 10 (10%) took up to three months to recover.
The top level findings in this research are not at all surprising. Software supply chains are very complex entities, often with many hundreds, if not thousands, of component suppliers for a single application. Software supply chains are not made up of only commercial software vendors, but include open source components, contracted work, and even data flows to data processors. To find that 75% of survey respondents report that they didn’t have full visibility into the composition of their software supply chain really means that 25% of the respondents haven’t yet attempted to conduct an organisation wide review of all software, whether procured, downloaded or contracted. What is interesting in the report are the incident impact statements. Recovery from a vulnerability in a software supply can be quite disruptive – just ask any team who dealt with Log4Shell in December and January.
That 59% of organisations experienced organisational disruption should serve as a wake-up-call that having a complete understanding of how your software supply chain is constructed, on a per application basis, is a key element of any proactive incident response plan. Updating that incident response plan when there are changes within software supply chains is going to be a challenge for IT defensive teams over the next several years. Enabling technologies like SBOMs will help, but only if an organisation defines and implements processes where new workflows are created based on what SBOMs communicate. The starting point for such an effort is a simple asset management problem – do you know all of the software powering your business? If you don’t know all the software powering your business, and where it came from, there is no possible way you can ensure its kept current and patched. Mitigating that risk is the first step in mitigating risks present in software supply chains, and should be a top priority for all CISOs in 2023.